From f69ccf171b36eca4cdc637e065065785aef8aebc Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Fri, 6 Oct 2023 16:53:56 +0200
Subject: [PATCH] Add v4.9.0 release notes

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 docs/_config.yml                 |   2 +-
 docs/_posts/2023-10-16-v4.9.0.md | 193 +++++++++++++++++++++++++++++++
 2 files changed, 194 insertions(+), 1 deletion(-)
 create mode 100644 docs/_posts/2023-10-16-v4.9.0.md

diff --git a/docs/_config.yml b/docs/_config.yml
index 023d31b53..2d5a3af30 100755
--- a/docs/_config.yml
+++ b/docs/_config.yml
@@ -6,7 +6,7 @@ url: "https://docs.dependencytrack.org"
 baseurl:
 show_full_navigation: true
 
-version: v4.8
+version: v4.9
 
 # Values for the jekyll-seo-tag gem (https://github.com/jekyll/jekyll-seo-tag)
 logo: /siteicon.png
diff --git a/docs/_posts/2023-10-16-v4.9.0.md b/docs/_posts/2023-10-16-v4.9.0.md
new file mode 100644
index 000000000..22a9d4349
--- /dev/null
+++ b/docs/_posts/2023-10-16-v4.9.0.md
@@ -0,0 +1,193 @@
+---
+title: v4.9.0
+type: major
+---
+
+**Features:**
+
+* Support import of CycloneDX v1.5 BOMs - [apiserver/#2850]
+* Introduce `odt_` prefix for API keys to ease leak detection - [apiserver/#3047]
+* Add support for SPDX license expressions - [apiserver/#2400]
+  * Refer to [Policy Compliance] for details on how license expressions behave in policies
+* Update SPDX license list to v3.21 - [apiserver/#3006]
+* Support resolving of custom licenses by name, instead of only by ID - [apiserver/#2769]
+* Add version distance policy condition - [apiserver/#2537]
+* Separate policy evaluation into its own background task - [apiserver/#2523]
+* Allow policy violation state to be set via API - [apiserver/#2997]
+* Add "Outdated only" and "Direct only" options for viewing components of a project - [apiserver/#2568]
+* Update bundled CWE dictionary to v4.12 - [apiserver/#2877]
+* Reduce number of API requests necessary to populate the dependency graph of a project - [apiserver/#2623]
+* Include JDBC connectors for Google Cloud SQL - [apiserver/#2651]
+* Update default Snyk API version to `2023-06-22` - [apiserver/#2911]
+* Log warnings when analyses from VEX could not be applied - [apiserver/#2989]
+* Update Docker base image latest Debian stable - [apiserver/#2904]
+* Update temurin base image to `17.0.8.1_1` - [apiserver/#3069]
+* Add extensive test suite for CPE matching logic - [apiserver/#2243]
+* Update documentation for private vulnerability database - [apiserver/#2990]
+* Add docs and example config for logging in JSON format - [apiserver/#2933]
+* Add note about required plan for the Snyk integration to docs - [apiserver/#2899]
+* Update example Grafana dashboard - [apiserver/#2788]
+* Add Docker Compose files for simplified local testing - [apiserver/#2675]
+* Add auto-provisioning of Grafana to Docker Compose development setup - [apiserver/#2879]
+* Hide username and password fields on login view when OIDC is enabled - [frontend/#613]
+* Make NGINX listen on both IPv4 and IPv6 interfaces - [frontend/#427]
+* Display external references and description in project overview - [frontend/#485]
+* Use separate icons for current and out-of-date components to improve accessibility - [frontend/#311]
+* Propagate `searchText` query parameter to list views - [frontend/#563]
+* Raise baseline NodeJS version to 18 - [frontend/#470]
+* Upgrade CoreJS to 3.x - [frontend/#548]
+
+**Fixes:**
+
+* Fix memory leak in policy evaluation - [apiserver/#2872]
+* Fix memory leak in VEX upload processing - [apiserver/#2873]
+* Fix VDR export erroneously containing non-vulnerable components - [apiserver/#2878]
+* Fix VEX export erroneously containing dependency graph - [apiserver/#3067]
+* Fix false positives in CPE matching when *version* attribute of a CVE's CPE is `NA` - [apiserver/#1832]
+* Fix false negatives in CPE matching when *part* or *vendor* attribute of a component's CPE is `ANY` - [apiserver/#2988]
+* Fix Uncaught internal server error when fetching components by hash if *Portfolio Access Control* is enabled - [apiserver/#2953]
+* Fix *Affected Component* format for CPEs with version ranges - [apiserver/#2967]
+* Fix missing duplicate check when cloning projects - [apiserver/#2966]
+* Fix `NullPointerException` when checking for existence of projects without version - [apiserver/#3068]
+* Fix module import issues when working on the code base with Eclipse - [apiserver/#2971]
+* Fix version distance policy being evaluated despite not being configured - [apiserver/#2980]
+* Fix `@JsonIgnore` having no effect on `transient` fields - [apiserver/#3051]
+* Fix misleading docs about authentication and authorization enforcement being optional - [apiserver/#3047]
+* Fix default Slack notification template producing invalid JSON for `PROJECT_AUDIT_CHANGE` notifications - [apiserver/#2838]
+* Fix default Mattermost notification template producing invalid JSON for `NEW_VULNERABLE_DEPENDENCY` notifications - [apiserver/#3093]
+* Fix number of project versions displayed in dropdown being limited to 10 - [frontend/#397]
+* Fix unauthenticated users not being redirected to login page - [frontend/#502]
+* Fix no permissions being defined for dashboard route - [frontend/#506]
+* Fix regression in Docker Compose file regarding application directory - [frontend/#494]
+* Fix external references dropdown rendering outside the screen - [frontend/#539]
+* Fix vulnerability aliases not being displayed in expanded rows of findings table - [frontend/#559]
+* Fix type error in external references dropdown - [frontend/#565]
+* Fix license expression input fields - [frontend/#580]
+* Fix wrong message being displayed when creating policies - [frontend/#610]
+* Fix file permissions of NGINX config file - [frontend/#611]
+
+**Upgrade Notes:**
+
+* API keys generated after the upgrade will be prefixed with `odt_`. Existing API keys without this prefix will
+continue to work. The prefix is configurable via `alpine.api.key.prefix`, although customization is not recommended.
+Refer to [Configuration] for details.
+* Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer.
+This is expected as a result of [apiserver/#2988] being fixed. If newly identified vulnerabilities turn out to be largely
+false positives, let the project team know by [reporting a defect].
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.9.0](https://github.com/DependencyTrack/dependency-track/milestone/24?closed=1)
+* [Frontend milestone 4.9.0](https://github.com/DependencyTrack/frontend/milestone/14?closed=1)
+
+We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.  
+
+Special thanks to everyone who contributed code to implement enhancements and fix defects:  
+[@HagarJNode], [@Meroje], [@Nikemare], [@RingoDev], [@Shawyeok], [@dustin-decker], [@hborchardt], [@heubeck],
+[@mattmatician], [@melba-lopez], [@muellerst-hg], [@nathan-mittelette], [@sahibamittal], [@sephiroth-j], [@syalioune],
+[@takumakume], [@valentijnscholten], [@walterdeboer]
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### frontend-dist.zip
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b                         |
+| SHA-256   | 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a |
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.9.0/bom.json)
+* Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.9.0/bom.json)
+
+[apiserver/#1832]: https://github.com/DependencyTrack/dependency-track/issues/1832
+[apiserver/#2243]: https://github.com/DependencyTrack/dependency-track/issues/2243
+[apiserver/#2400]: https://github.com/DependencyTrack/dependency-track/pull/2400
+[apiserver/#2523]: https://github.com/DependencyTrack/dependency-track/pull/2523
+[apiserver/#2537]: https://github.com/DependencyTrack/dependency-track/pull/2537
+[apiserver/#2568]: https://github.com/DependencyTrack/dependency-track/pull/2568
+[apiserver/#2623]: https://github.com/DependencyTrack/dependency-track/pull/2623
+[apiserver/#2651]: https://github.com/DependencyTrack/dependency-track/pull/2651
+[apiserver/#2675]: https://github.com/DependencyTrack/dependency-track/pull/2675
+[apiserver/#2769]: https://github.com/DependencyTrack/dependency-track/pull/2769
+[apiserver/#2788]: https://github.com/DependencyTrack/dependency-track/pull/2780
+[apiserver/#2838]: https://github.com/DependencyTrack/dependency-track/issues/2838
+[apiserver/#2850]: https://github.com/DependencyTrack/dependency-track/issues/2850
+[apiserver/#2872]: https://github.com/DependencyTrack/dependency-track/pull/2872
+[apiserver/#2873]: https://github.com/DependencyTrack/dependency-track/pull/2873
+[apiserver/#2877]: https://github.com/DependencyTrack/dependency-track/pull/2877
+[apiserver/#2878]: https://github.com/DependencyTrack/dependency-track/pull/2878
+[apiserver/#2879]: https://github.com/DependencyTrack/dependency-track/pull/2879
+[apiserver/#2899]: https://github.com/DependencyTrack/dependency-track/pull/2899
+[apiserver/#2904]: https://github.com/DependencyTrack/dependency-track/pull/2904
+[apiserver/#2911]: https://github.com/DependencyTrack/dependency-track/pull/2911
+[apiserver/#2933]: https://github.com/DependencyTrack/dependency-track/pull/2933
+[apiserver/#2953]: https://github.com/DependencyTrack/dependency-track/pull/2953
+[apiserver/#2966]: https://github.com/DependencyTrack/dependency-track/pull/2966
+[apiserver/#2967]: https://github.com/DependencyTrack/dependency-track/pull/2967
+[apiserver/#2971]: https://github.com/DependencyTrack/dependency-track/pull/2971
+[apiserver/#2980]: https://github.com/DependencyTrack/dependency-track/pull/2980
+[apiserver/#2988]: https://github.com/DependencyTrack/dependency-track/issues/2988
+[apiserver/#2989]: https://github.com/DependencyTrack/dependency-track/pull/2989
+[apiserver/#2990]: https://github.com/DependencyTrack/dependency-track/pull/2990
+[apiserver/#2997]: https://github.com/DependencyTrack/dependency-track/pull/2997
+[apiserver/#3006]: https://github.com/DependencyTrack/dependency-track/pull/3006
+[apiserver/#3047]: https://github.com/DependencyTrack/dependency-track/pull/3047
+[apiserver/#3051]: https://github.com/DependencyTrack/dependency-track/pull/3051
+[apiserver/#3067]: https://github.com/DependencyTrack/dependency-track/pull/3067
+[apiserver/#3068]: https://github.com/DependencyTrack/dependency-track/pull/3068
+[apiserver/#3069]: https://github.com/DependencyTrack/dependency-track/pull/3069
+[apiserver/#3093]: https://github.com/DependencyTrack/dependency-track/issues/3093
+[frontend/#311]: https://github.com/DependencyTrack/frontend/issues/311
+[frontend/#397]: https://github.com/DependencyTrack/frontend/issues/397
+[frontend/#427]: https://github.com/DependencyTrack/frontend/pull/427
+[frontend/#470]: https://github.com/DependencyTrack/frontend/issues/470
+[frontend/#485]: https://github.com/DependencyTrack/frontend/pull/485
+[frontend/#494]: https://github.com/DependencyTrack/frontend/pull/494
+[frontend/#502]: https://github.com/DependencyTrack/frontend/pull/502
+[frontend/#506]: https://github.com/DependencyTrack/frontend/pull/506
+[frontend/#539]: https://github.com/DependencyTrack/frontend/issues/539
+[frontend/#548]: https://github.com/DependencyTrack/frontend/pull/548
+[frontend/#559]: https://github.com/DependencyTrack/frontend/pull/559
+[frontend/#563]: https://github.com/DependencyTrack/frontend/pull/563
+[frontend/#565]: https://github.com/DependencyTrack/frontend/pull/565
+[frontend/#580]: https://github.com/DependencyTrack/frontend/pull/580
+[frontend/#610]: https://github.com/DependencyTrack/frontend/pull/610
+[frontend/#611]: https://github.com/DependencyTrack/frontend/pull/576
+[frontend/#613]: https://github.com/DependencyTrack/frontend/pull/613
+
+[Configuration]: {{ site.baseurl }}{% link _docs/getting-started/configuration.md %}
+[Policy Compliance]: {{ site.baseurl }}{% link _docs/usage/policy-compliance.md %}#license-violation
+[reporting a defect]: https://github.com/DependencyTrack/dependency-track/issues/new?assignees=&labels=defect%2Cin+triage&projects=&template=defect-report.yml
+
+[@HagarJNode]: https://github.com/HagarJNode
+[@Meroje]: https://github.com/Meroje
+[@Nikemare]: https://github.com/Nikemare
+[@RingoDev]: https://github.com/RingoDev
+[@Shawyeok]: https://github.com/Shawyeok
+[@dustin-decker]: https://github.com/dustin-decker
+[@hborchardt]: https://github.com/hborchardt
+[@heubeck]: https://github.com/heubeck
+[@mattmatician]: https://github.com/mattmatician
+[@melba-lopez]: https://github.com/melba-lopez
+[@muellerst-hg]: https://github.com/muellerst-hg
+[@nathan-mittelette]: https://github.com/nathan-mittelette
+[@sahibamittal]: https://github.com/sahibamittal
+[@sephiroth-j]: https://github.com/sephiroth-j
+[@syalioune]: https://github.com/syalioune
+[@takumakume]: https://github.com/takumakume
+[@valentijnscholten]: https://github.com/valentijnscholten
+[@walterdeboer]: https://github.com/walterdeboer
\ No newline at end of file